If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Keeping a Domain User Off Other Machines

I have a user on a network that has local admin rights. Other users in the office are running as Users. The problem is that this admin user is logging on other machines and installing software. Due to company politics, his boss will not tell him to stop, I am only allowed to block his access to the other machines. I looked online but couldn't find the procedure to deny access by machine to a particular user using the AD. Anyone know how to do this or can point me in the right direction.

On various finance and IT machines I remove domain users access explicitly on the machine .... by default MS allows users to log into all domain workstations.. when joining the domain it adds domain users to the local user group, domain admins and administrator to the local administrator group. I remove all except for the specific user and all powerful domain administrator.

MLF

How people treat you is their karma- how you react is yours-Wayne Dyer

I employed another method of doing this in a large school; after using a naming convention on all machines (which an 'S' at the end of the name indicated a student use machine) it made it easy to organise AD into a decent OU layout.

Using group policy applied to either the student machines OU (or using policy filtering for any machine without *S) denied logon locally to a security group that had all students... In large networks I often use group nesting for granulated policies so 'students' group contained no users but another set of groups which may have again contained no users but another set of groups until the groups actually had the users listed.

I also had the staff machines grouped into departments (teaching, admin, finance) and used group policy to add the ONLY that department staff admin rights to ONLY that departments machines (group nesting for the Win again). Although any staff could log on to any machine, admin rights were granted only to the staff whom belonged to that department.

Group nesting may seem like needless work; but when comes to future changes like adding a new user to the domain; you only need to add said user to a single group and every group policy is applied... no need to find 10 policies and add this new user to them etc. Its very late here I hope anyone reading this understands the concept without enumerating the whole benefit.... just ask I will go into complete detail - this is partly the fall down with using the Log on to option IMO.

...

Sadly the fall down in your case is that if the user is granted admin rights to any PC; you are restricting which machines they can log on to using their own account. If it was me and I wanted to install software; I'd login, create a local admin account and use that account to install software

"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein